Essential cookies only — Cookie Policy.
The NCSC recommends three random words as the basis for strong, memorable passwords. This generator creates 3–6 word passphrases using a CSPRNG — providing the entropy of a random password with the memorability of real words.
3–6 random words, live entropy scoring, multiple formats. Wordlist selected with crypto.getRandomValues() — nothing transmitted.
crypto.getRandomValues() — OS hardware entropy · Zero network requests · Nothing storedRandom generation for unpredictability. Real words for memorability. Live entropy for transparency.
Words are selected using crypto.getRandomValues() with rejection sampling for a perfectly uniform distribution — the same entropy as physical Diceware dice.
Four concrete words create a scene you can visualise. The memorability score estimates how quickly the generated passphrase can be retained using the image-linking technique.
Bits of entropy, estimated crack time, and strength rating update in real time with every option change — so you understand the security implications of each choice.
The wordlist is embedded in the page. All selection happens in your browser. Open DevTools → Network and generate — you will see zero requests during generation.
Based on a 1024-word curated wordlist (10 bits per word). All times assume 10 billion guesses per second — a high-end dedicated cracking machine.
| Words | Entropy | Characters (spaced) | Crack time estimate | Recommended for |
|---|---|---|---|---|
| 3 words | 30 bits | ~18 chars | ~107 seconds | Low-stakes accounts with MFA |
| 4 words | 40 bits | ~24 chars | ~30 hours | General accounts — recommended baseline |
| 5 words | 50 bits | ~30 chars | ~35 years | Master passwords, accounts without MFA |
| 6 words | 60 bits | ~36 chars | ~36,500 years | Encryption keys, highest-value accounts |
| NCSC Cyber Aware baseline: 3 words. NIST SP 800-63B 2025 minimum: 15 characters. Adding a number and symbol adds ~12–16 bits above these figures. | ||||
Open-source, independently audited password manager. Free tier for individuals; Families plan covers 6 users. Store all your generated passphrases securely. Zero-knowledge encryption — Bitwarden cannot read your vault.
Try Bitwarden →Polished password manager with an Emergency Kit — a printable recovery document generated at setup. Excellent for users who want a guide through secure configuration. Watchtower feature monitors saved credentials against breach databases.
Try 1Password →The Electronic Frontier Foundation's free printed Diceware guide teaches the physical dice method alongside the EFF large wordlist. Recommended for users who want a method with zero software dependency for their most sensitive credentials.
Read the EFF guide →The guides and generator on this site are written and maintained by Daniel Hayes, an hobbyist with a keen interest in password security and online safety who has advised organisations on password policy and authentication for over a decade. Daniel's work includes implementing NIST SP 800-63B-aligned authentication systems and delivering NCSC-aligned password guidance to public sector and commercial organisations.
All content aligns with the NCSC Cyber Aware guidance, NIST SP 800-63B 2025, and the EFF Diceware method.
About Daniel Hayes →Specialist password and passphrase tools for every audience.
Hardware and software recommendations verified by our team.
Hardware security key — phishing-proof 2FA for all your accounts.
Check price →Multi-device antivirus, VPN, and identity protection suite.
Check price →Whole-home VPN router — protect every connected device on your network.
Check price →As an Amazon Associate we earn from qualifying purchases.